Microsoft will also pay a bounty for significant security misconfigurations discovered by researchers, who must be at least 14 years of age and registered for taxation.

While Microsoft encourages submissions and provides test environments for the bug bounty program, the company limits the vulnerability hunt to the above flaws only.

Social engineering, denial of service attempts, accessing others' data and moving beyond proof of concepts for server-side code execution is not acceptable, and Microsoft warns it may respond to what it thinks are malicious activities in its network.

As with Google's bug bounty program, and security vendor Trend Micro's Pwn2Own competition, finding flaws in Microsoft's online services can be lucrative for researchers: the minimum payout for a qualified vulnerability is US$500 (A$657), going up to a maximum of US$15,000.

In total, Microsoft said it has paid out over US$500,000 in bug bounties. Researchers from Hewlett-Packard's Zero Day Initiative, Context Security and NSFOCUS have been rewarded with US$100,000-sized payments, for discovering mitigation bypasses.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.